This question came from our site for professional and enthusiast programmers.

4

Great question. I'm concerned as well, and particularly troubled by the anonymity of the authors (making it impossible to assess what their motivations might be). I only take (some) comfort from the positive references Bruce Schneier has made to True Crypt on his blog, despite having an business interest in a competing product, thought those have been narrow and limited.
–
Will MJul 15 '10 at 20:32

To be fair, the TCHunt has a pretty good FAQ page that states clearly "TCHunt ignores file names and file extensions." I would expect the extension is there for testing purposes only. The key method they use to detect TC volumes is that "contents pass a chi-square distribution test". The idea is while TC files are indeed indistinguishable from random data, all other files on a system follow patterns, so TC volumes can be detected by simply detecting truly random data.
–
Ilari KajasteJul 22 '10 at 8:36

5

Side comment: I consider them as being rude for banning people that ask "dumb" questions...
–
RCIXJul 31 '10 at 4:47

3

@Ilari Kajaste, but could that tool distinguish a truecrypt volume from something encrypted with GPG, or OPENSSL directly? I would guess that any encrypted volume should be flagged by TCHunt.
–
ZoredacheAug 11 '10 at 7:33

1

@Zoredache: No, as long as the encryption is strong so the result looks like random data the encryption method isn't distinguishible. Although TCHunt does have a some file size checks (modulo of 512)... but as long as the encrypted file has a similar size and has no common file header, it will be detected as a TC file. TCHunt doesn't claim to be a "perfect" detection, but it does seem to be able to detect which files are properly encrypted to look like random data - which is quite good enough.
–
Ilari KajasteAug 13 '10 at 19:38

I believe that TrueCrypt might be provided by the NSA, CIA, or one of those big Federal agencies for the purpose of promoting encryption for which they have the back door, in order to decrease the use of other encryption that they can't crack. That's the reason for their secrecy around it, and that's why it also is such a well-polished product with good documentation, despite neither being a commercial product nor having the widespread participation of open source developers.

Actually, the Administration
encourages the design, manufacture,
and use of encryption products and
services that allow for recovery of
the plaintext of encrypted data,
including the development of plaintext
recovery systems, which permit through
a variety of technical approaches
timely access to plaintext either by
the owners of data or by law
enforcement authorities acting under
lawful authority. Only the widespread
use of such systems will both provide
greater protection for data and
protect public safety.

....

The Department's goal -- and the
Administration's policy -- is to
promote the development and use of
strong encryption that enhances the
privacy of communications and stored
data while also preserving law
enforcement's current ability to gain
access to evidence as part of a
legally authorized search or
surveillance.

...

In this regard, we hope that the
availability of highly reliable
encryption that provides recovery
systems will reduce the demand for
other types of encryption, and
increase the likelihood that criminals
will use recoverable encryption.

-1 This sounds like a conspiracy theory. I find it hard to believe in a backdoor in TrueCrypt, seeing that the source is available for scrutiny. Do you have any proof for your claims?
–
sleskeApr 2 '12 at 8:57

2

I didn't make up the above, it's on a web page published by the US government. As far as TrueCrypt is concerned, people who have compiled the source observe that their binaries don't match the binaries from TrueCrypt's web site. So it would be easy for them to put a back door in the binaries. Hiding back doors in the source code is less likely, but isn't impossible either.
–
Mike RowaveApr 3 '12 at 2:17

2

What do you mean by "observe that their binaries don't match the binaries from TrueCrypt's web site"? If you mean the checksums are different then that's normal. Binaries from compiling the same source code on the same system at different times will result in different checksums.
–
segfaultMay 14 '13 at 21:39

Well, the TrueCrypt project may well be run in a fashion that is inhospitable/hostile to outsiders (anonymous devs, no Changelog), but I don't see how that relates to it being secure or not.

Look at it like this: If the devs really wanted to screw people by putting backdoors into TrueCrypt, it would make sense for them to be nice, so people are less suspicious.

In other words, whether the software is trustworthy is quite independent from whether the devs are sociable people or not. If you you believe the availability of source code is not enough to ensure security, you will have to organize a code audit. There certainly are people outside the TrueCrypt project who look at the source code, so a deliberate backdoor is probably hard to hide, but there might be hidden bugs. This bug in Debian's OpenSSL package went unnoticed for quite a while.

About acting nice: since they know this argument, they should playing rude to avoid suspicion. Wait, if they know that argument, they should be playing nice! No, wait! Hmmm, I guess it's impossible to know.
–
Peter JaricApr 2 '12 at 7:55

I think the point everyone is missing is if someone is considering using Truecrypt that person has to be 100% certain it's secure, if not their very life may in danger, it's not Flash Player or a Fart app for your iPhone, it's an application where if it fails may mean someone is killed over the information discovered.

would you rather have an app that people DO question and the source is available - or one supplied by a nice shiny American corporation that nobody doubts?
–
Martin BeckettAug 29 '10 at 5:01

The point that people are trying to make is that its the most secure program that exists right now. Until quantum computing becomes feasible, nobody can crack your container protected by this. truecrypt.org/docs/?s=encryption-scheme
–
TheLQAug 29 '10 at 20:32

I don't understand how asking questions is seen as wrong. Truecrypt use and knowing, asking more about it are not mutually exclusive both can exist at the same time, if the application is strong you can know all about it and still be able to use it to encrypt data. We can agree to disagree but getting muzzled and labeled a trouble maker on any forums is a big red flag to me for any application but for something like Truecrypt it's chilling.
–
dghughesAug 29 '10 at 21:50

You stated that if "someone is considering using Truecrypt that person has to be 100% certain it's secure" and I would like to know "why?" Many people put trust in many products with very little to no certainty at all that the products are secure, so why should TrueCrypt be any different? Especially for non-technical end-users, this is a very difficult requirement for them (they usually rely on their own experts or the product's documentation to make these determinations).
–
Randolf RichardsonFeb 19 '11 at 17:12

Because as I mentioned above it's not your average application since some people using it are risk their lives using it, if it fails to keep their secrets they may be tortured or killed.
–
dghughesApr 21 '12 at 22:03

I've used truecrypt for a few years now, and when you take a look at their encryption scheme, the other small issues that you pointed out won't do anything to its security. Even a 15 year Computer Engineer/Cryptanalyst was impressed by it.

And just because it does not have a repository does not mean that its not open source. I can head over to the download section and get all the source code, which in reality is what your looking for.

The forums are the only weak spot. I haven't seen any bans though, only flame wars. Do you have any proof of bans?

Answers so far have discussed how much trust can be put in TrueCrypt's encryption. According to the documentation, TrueCrypt uses good encryption algorithms; however this is only part of the story, as the cryptographic algorithms are not the hardest part of a security-intensive programs. The source code of TrueCrypt is available for review, which is a point in its favor.

There are other points to consider when evaluating a program to protect confidential data.

Does the program also provide data integrity? TrueCrypt doesn't. Data integrity means that someone who has temporary access to your computer cannot replace your data by modified data. It is particularly important to protect your operating system: if someone is after your data, they might install a keylogger to capture your passphase the next time you type it, or some other malware than indirectly gives them access to your data. So if you don't have a way of detecting such tampering, don't leave your computer unattended.

How widely available is the program? TrueCrypt rates fairly high on that count: it's available on all major desktop operating systems (Windows, Mac, Linux); it's free so you don't have to worry about license cost; it's open source so others could take on development if the current development team suddenly disappears; it's widely used so someone is likely to step up if the current team disappears. The lack of public access to the source control system (individual patches with their change messages) is a point against though.

This is a good point, and I do recall reading about this in the documentation -- so, I'm just pointing out that TrueCrypt.org is playing fair in this regard by explaining it instead of hiding it.
–
Randolf RichardsonApr 2 '11 at 16:59